From patchwork Tue Oct 6 17:40:41 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alistair Francis X-Patchwork-Id: 526934 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from eggs.gnu.org (eggs.gnu.org [IPv6:2001:4830:134:3::10]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 59667140D7C for ; Wed, 7 Oct 2015 06:27:53 +1100 (AEDT) Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZjWGU-0007LF-0e for incoming@patchwork.ozlabs.org; Tue, 06 Oct 2015 13:44:08 -0400 Received: from lists.gnu.org ([2001:4830:134:3::11]:45439) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZjWGT-0007JI-Cs for incoming@patchwork.ozlabs.org; Tue, 06 Oct 2015 13:43:01 -0400 Received: from localhost ([::1]:52949 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZjWGT-0001IZ-9a for incoming@patchwork.ozlabs.org; Tue, 06 Oct 2015 13:43:01 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43892) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZjWG3-0000rA-2W for qemu-devel@nongnu.org; Tue, 06 Oct 2015 13:42:35 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZjWFy-0005Qo-Tv for qemu-devel@nongnu.org; Tue, 06 Oct 2015 13:42:34 -0400 Received: from mail-bn1on0060.outbound.protection.outlook.com ([157.56.110.60]:36384 helo=na01-bn1-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZjWFy-0005Q5-OA for qemu-devel@nongnu.org; Tue, 06 Oct 2015 13:42:30 -0400 Received: from BL2FFO11FD022.protection.gbl (10.173.160.34) by BL2FFO11HUB012.protection.gbl (10.173.161.118) with Microsoft SMTP Server (TLS) id 15.1.286.14; Tue, 6 Oct 2015 17:42:28 +0000 Authentication-Results: spf=fail (sender IP is 149.199.60.96) smtp.mailfrom=xilinx.com; redhat.com; dkim=none (message not signed) header.d=none; redhat.com; dmarc=none action=none header.from=xilinx.com; Received-SPF: Fail (protection.outlook.com: domain of xilinx.com does not designate 149.199.60.96 as permitted sender) receiver=protection.outlook.com; client-ip=149.199.60.96; helo=xsj-tvapsmtpgw01; Received: from xsj-tvapsmtpgw01 (149.199.60.96) by BL2FFO11FD022.mail.protection.outlook.com (10.173.161.101) with Microsoft SMTP Server (TLS) id 15.1.286.14 via Frontend Transport; Tue, 6 Oct 2015 17:42:28 +0000 Received: from 172-16-1-203.xilinx.com ([172.16.1.203]:43559 helo=xsj-tvapsmtp02.xilinx.com) by xsj-tvapsmtpgw01 with esmtp (Exim 4.63) (envelope-from ) id 1ZjWFv-00016c-B6; Tue, 06 Oct 2015 10:42:27 -0700 Received: from [127.0.0.1] (port=50280 helo=tsj-smtp-dlp1.xlnx.xilinx.com) by xsj-tvapsmtp02.xilinx.com with esmtp (Exim 4.63) (envelope-from ) id 1ZjWFv-0008Ct-4o; Tue, 06 Oct 2015 10:42:27 -0700 Received: from xsj-tvapsmtp02 (smtptest.xilinx.com [172.16.1.203]) by tsj-smtp-dlp1.xlnx.xilinx.com (8.13.8/8.13.1) with ESMTP id t96HbSpD020641; Tue, 6 Oct 2015 10:37:28 -0700 Received: from [172.19.74.182] (port=40844 helo=xsjalistai50.xlnx.xilinx.com) by xsj-tvapsmtp02 with esmtp (Exim 4.63) (envelope-from ) id 1ZjWFt-0008Cq-Sj; Tue, 06 Oct 2015 10:42:25 -0700 From: Alistair Francis To: Date: Tue, 6 Oct 2015 10:40:41 -0700 Message-ID: X-Mailer: git-send-email 2.1.4 X-RCIS-Action: ALLOW X-TM-AS-MML: disable X-TM-AS-Product-Ver: IMSS-7.1.0.1679-8.0.0.1202-21860.005 X-TM-AS-Result: No--4.638-7.0-31-10 X-imss-scan-details: No--4.638-7.0-31-10 X-TMASE-MatchedRID: OVmwaIoWPB6Er6N/Rb44SoldKbZsGYatJPNIV6GF8mv3bBqxmjinTROb /Dxd4DwLix0eHMXbDD/CmUj96YjOl7DyQVN2cGlRS3OTftLNfg07pfSjRsD2OgagDhBTr1Yko8W MkQWv6iXBcIE78YqRWo6HM5rqDwqt0Gws33I6BSKiD803RDZXpzaAZmFXW3p2EnVE+tyj0KJxIz YkzCyp1iS2AaqibZEFvi8VqDq4ihK2Pp15sMEwdjqrdriUxvsPHSbhGbmGylXFJK7yLnZRGZdO3 Q67ImL8gi4RUz90EQwG2MApbv6odw== X-EOPAttributedMessage: 0 X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11FD022; 1:NPK9rm2109Z1yhGxwO/cofmA3tgx2UCKGUNW7E+biS6YresWfMtC5AQrySbI5QTnVmu8baJmOZ4lz5zR02Wx6fMmKw3WbAc60Tsqtkb1q/QL6a/qXGzfrb1+M/aFl7RPW7ReJEUYbqHJqSeLtiPqJUbB5s7jSZeRUjVrFVjKrPs5qPmKGz8dlOEYYbqdNgI3wYFzV+u9icZk4OcARn/OlRa0ojTJAOBcwKdiiOjC3uTqDUAR7W1slnBompObt/X5UTenDOQ/IIMpGpY89C98xAcxJMMIyNAXzG6ZTlFu2brhCPNpNn0o3g2dsZurflESXF7Faekz6DS/lXAl0EkBNdFSlOuyn62714hapvpRAtojhqotfEPLET6Ki0lIjj6l3uwI+Uya7JQ7koSGNq9Tzy7HYTfBE7P5ryzt9EidqKs= X-Forefront-Antispam-Report: CIP:149.199.60.96; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009020)(6009001)(2980300002)(1109001)(1110001)(339900001)(189002)(199003)(81156007)(64026002)(19580395003)(87936001)(118296001)(189998001)(105606002)(106466001)(110136002)(71366001)(5001960100002)(11100500001)(2351001)(5008740100001)(46102003)(36756003)(47776003)(5003600100002)(5007970100001)(6806005)(5003940100001)(19580405001)(86362001)(50226001)(77096005)(92566002)(64706001)(229853001)(50466002)(48376002)(85426001)(33646002)(50986999)(107986001); DIR:OUT; SFP:1101; SCL:1; SRVR:BL2FFO11HUB012; H:xsj-tvapsmtpgw01; FPR:; SPF:Fail; PTR:unknown-60-96.xilinx.com; MX:1; A:1; LANG:en; MIME-Version: 1.0 X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11HUB012; 2:UuuLIqHoqQEkVS8labs7Q8ES+/6Tp8bPdTlPccKCStDrvFgi5fTnXPM9qygI4XY2pVwH+iaDCKVIWUBmfKAcmIUlC3VYFOedoSxIXdTc7g1ibNjgXIU38hy4s34LghEeEpBjK8oaD7T0Lzvz7oLYSyB0BQqf9e/019oj1OegCxw=; 3:LWvw6h9ogLp/fEj9vHdy6nIHXDBF9dM1flaF5CLW/8a8qjBNscFpZkDz15avHbX5wuth+aDhAizXIlFu5po36wxktRCynyjnQ6UNR0zL6MdEk/ta5+pd9ihzDQptRbZxC/rwHV9S0Js+MdKVFDKFUkTREqVLO7ez2IpxrYDXLeuiOjad7Is+w870RqUhI6OtxbECOVa6wv7AYYU6pqIBQ5/dK2scb6tHhd2o1val+6g=; 25:noxMkeYv8hy2XtY93klfNWyhOuhFr5IWnYOzudlFx0y24OKhQifTR1wLcMWIOgZ2GIEmafVzlZlIgo5boPJar5SPBltOH8cFvIHv1leHZnkN9Ygag9sAeHbv9d7IP1hGvuUdT5zmTyWkHeENlbYXcRfHDHbXD19DKOCfFBpkPFIfAbeBrzHpTCccrhZuB2YRTKkR2a0jI5FPuZgrI7YQcGJiXQj0C3KpidylksN5v9kTtHCQUSY+lX/BdyHbRVmLXM/Afny9WqsyLpc6BPbUtw== X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BL2FFO11HUB012; X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11HUB012; 20:Ne2ytgbpWk9rfgJg5Vcalj3g+CJ+7+fC+u25YaVaKO8TObNlr51Bitw4WfPMvjUu4fZZj5y+vFkwztpudX3o/BnzL9xX2H4TNSwaS/5c4TF/CwYdHcBVuozyoru/ZUndSptMllBWMqLdBLrkaSeCG7sSqRon7QxFI3Skw6qd+beQXW9lZ83dXtmmD0cQvxmLDZOBVXqqFR3ReIZEOUZ5B5W9LONKQt0QiZrhkuyrGOv7jTSNG9PS4vQakaQk8cWAFcBFs6KeT0VumR0Sk+3b9JK4phEv6uxS5BXrBVE3gZryWs3UD9ma3jWw3MwaTpdqzLab77OkhJbEnBk1yrYMzLJoO1ew1V3rJ7BrpdqYviF2lyoVuRrt5v6AoYq+CWRLJ1wD7Ui4tMS5gZi2hj2lVDnB6Q7fxmC7g6RDzPtdwhyEWFILEy9C1hC1fvVn/mu08zrgZ2PlKm0HG5KR/i9JKCYMlW1hTCm+dz6ugkfj6diq9OIxR0c8gxG4GpLGTjHF; 4:oXkFtP7DpIhFUly6Ge9e2q5UeR7nQmKR523xisdpX4kM+UTBMH69Bhi2Dp4Uc59fj3iIcauNUP3Ymr0r/XP7eiYEGb3x/01gpbpIx8k8r8MEyJA+IdHQfjRaoFBuOneoQJypNcewmyw7x/06Sw5Q7IJcWbniYp601hfhTZ1Y/eIbKMAqKNk6SjI1rw1ziDmiFogIFOcllfXmC5CXg7w7fQ7HvWUOU4BjNA9+uFa29/szfbV0g7lYNOWX8MU1fC7b59nsSsqhFxNP32CIFAgIZPY6us8kcylKIjZv2kEE+j/8RIf2CwkGXWKvarHn4RBbQcQ8t4df2qRB2xj5/G3Iz1IN5fG98Bk4O83uvdclTvUFoZfj9GBt81TIa9doVtXi X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401047)(520078)(8121501046)(5005006)(3002001)(10115024); SRVR:BL2FFO11HUB012; BCL:0; PCL:0; RULEID:; SRVR:BL2FFO11HUB012; X-Forefront-PRVS: 07215D0470 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BL2FFO11HUB012; 23:RI1zS8a0Ty3A0NMGnQFi49xZHu+68rn6zM9Wdfvp?= =?us-ascii?Q?fi7LLNa3rd2jrs/EPMxEVrkRBNRdZvyl8MxvKxaaaw/lGfocTsLm5+C1krJY?= =?us-ascii?Q?99M5QWqb7FmIXXenywRYnx1gqNOGqHUl5O/ExUlFE03IAft/1/xEM4RGE3Uy?= =?us-ascii?Q?tbmx7AeK/ph+ncZZcvhArcICoyfkuFXHaAAVPrBAC/eVwlOyDGUpE/3ULpmD?= =?us-ascii?Q?JuLGeercDMXvtYSOZ3zB6fUEHwo/MA1gqCwa8+N8wLUUWCsIf8HLyPNgCFKB?= =?us-ascii?Q?i6YVpb6bGqg6Z8WfH1xjMy7XKWjLu3bDqqkXum8kKktxRO/e2+eQNKZWwbxL?= =?us-ascii?Q?2uo6+hlzBW2fKc75V6JaYpDCAQMSRiB083Jj2rJYy3cUGh20rEn4uT7VIhAS?= =?us-ascii?Q?kBx/BFcsWVxQKHUKIYLpk7oCPp26VzxY6c4+04Wb/TTDnuAn0ybQcyvYlQDZ?= =?us-ascii?Q?oPVB7E1w0/rpYRo3mo4RSbB3Ix45RlQeaeAgAaOteDtAGHN68VvxBRrN6MYA?= =?us-ascii?Q?bYR/YhlFO96ugR8hSqdNvP2XOqppSI5nDoCEQmcA//7s94Xt7FeFJXUUbVWk?= =?us-ascii?Q?q5EUzsC9Dpu7TBy9lwhlH3zNmX062UBWDmCyYRlGFAK5wWd7MZP316LW15D3?= =?us-ascii?Q?kvhoHVkc+XJwAcUjtYymN29+kEEUSH7y+Z1gyYFR1eMBbWvrfkVj9Fz+c8jX?= =?us-ascii?Q?2GoWzlY8Ez73m5Y7zI7xaZf/QMaaxxOGAWpMqRnKF9j+wOLMFRRTZqj5KBRq?= =?us-ascii?Q?Vxx4X9GUrMWi8DkI8rV2ZnHSAVnzKXVud2DX88zOEaC9Iv72JKeAYE3ulLXS?= =?us-ascii?Q?qEtSeaczqnEWBx4Lu4FCfk5IHjqi8fhGWyUxU1ONwH+z+KEATM+Ufv7+OVoH?= =?us-ascii?Q?xZ28gBieXJ8FF++980eJaKYM1gf3cBExNWro65a67fVRlfz1N2OjMC4cr8N2?= =?us-ascii?Q?1MOq+hhl17B3Ph9siBVIFjkOAiEgGbsZazm1oFiylpdYy/L5Tv0ZAO7HHtX0?= =?us-ascii?Q?dkZCVYSSB0eXFtj4NbCFaHcbVcJ6B2H//pa6240wB7pXO9lxQyTE77ZFRFm/?= =?us-ascii?Q?JD7bakpqwtIBS/9rZxwlslekx1HkgcR3eWYsQEPjGWxJvNprQg=3D=3D?= X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11HUB012; 5:vJus8m1+Oy7cpi4WAqaBc9cLTrcDcTrVuHvf0cPGRmrQZRmN9VLrQL4nYbTMJ88jrbm+t67+v4TwV/8AMqyzr24uwmd8Xmg3leY7bdqzVgQiwFwKJD7TOK1XNb9kj9J7Re+YbTjmeABdlHbFrCMs0w==; 24:Vp5Efs3eiQxiPmh2ejuoD1QkgkvzjWvzodmqNgR3O6zc4TaD5HIwo3kxrDj5HBo930cWwAjDQxZlW7+KGKspTubxrhWFNt+2beRkaZ45r4E= SpamDiagnosticOutput: 1:23 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: xilinx.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Oct 2015 17:42:28.2315 (UTC) X-MS-Exchange-CrossTenant-Id: 657af505-d5df-48d0-8300-c31994686c5c X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=657af505-d5df-48d0-8300-c31994686c5c; Ip=[149.199.60.96]; Helo=[xsj-tvapsmtpgw01] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2FFO11HUB012 X-detected-operating-system: by eggs.gnu.org: Windows 7 or 8 Cc: oleksandr.bazhaniuk@intel.com, peter.maydell@linaro.org, i.mitsyanko@gmail.com, stefanha@gmail.com, james.l.walter@intel.com, armbru@redhat.com, alistair.francis@xilinx.com, crosthwaitepeter@gmail.com, kevin@koconnor.net, wehuang@redhat.com, jsnow@redhat.com, secure@intel.com Subject: [Qemu-devel] [PATCH v1 1/1] sdhci.c: Limit the maximum block size X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 It is possible for the guest to set an invalid block size which is larger then the fifo_buffer[] array. This could cause a buffer overflow. To avoid this limit the maximum size of the blksize variable. Signed-off-by: Alistair Francis Suggested-by: Igor Mitsyanko Reported-by: Intel Security ATR Reviewed-by: Stefan Hajnoczi Reviewed-by: Peter Crosthwaite --- hw/sd/sdhci.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 65304cf..1d47f5c 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -1006,6 +1006,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) MASKED_WRITE(s->blksize, mask, value); MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); } + + /* Limit block size to the maximum buffer size */ + if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " \ + "the maximum buffer 0x%x", __func__, s->blksize, + s->buf_maxsz); + + s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); + } + break; case SDHC_ARGUMENT: MASKED_WRITE(s->argument, mask, value);